Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.Status: Patched.Details: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the "jcb" variable.Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it's victims.Proof of Concept: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert("xss")%3C%2Fscript%3E&action_jsonp=new_status&status=CSRFScreenshots:

Vendor response rateThe vulnerabilities were fixed within 1 hour after they have been reported. Excellent - 5 twits.